Kerberos and Single Sign-on in Leopard Server

It has been awhile since my last post of this series — sorry to keep you waiting. Kerberos on Mac OS X Server is a finicky thing, and it took me this long to get it working! Well, I did take a 3 week vacation, and was busy with other projects for at least 2 weeks … but it was a major pain in the ass to set up, and I’m not yet entirely satisfied.

To get straight to the point, the following procedure got kerberos with single sign-on up and running for me. Hopefully it will work for you too.

(more…)

I booted up my Leopard server yesterday to discover that my directory administrator account — that’s the one used to authenticate to /LDAP/127.0.0.1 in Workgroup Manager — appeared to be broken. It looked as if I was locked out, as if I had forgotten my password. I knew that I hadn’t forgotten my password, and I verified that by logging into the directory using ldapsearch. However, Workgroup Manager insisted, “login information not valid for this server”.

I worked on it for awhile, sifting through log files and Googling for answers, but ran out of time for the evening: I was almost late for American Gangster. To my surprise, when I booted up Leopard server today, it worked. To confirm my sanity, I rebooted again: this time, no dice. So there was some kind of random failure happening. After some hunting around, I noticed a single entry in slapd.log:

slapd[40]: SASL [conn=9] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Decrypt integrity check failed)

(more…)

Picking up where the last article left off, this article looks at setting up the mail service in Leopard, including migrating mail data from Tiger.

Configuring the Mail Service

In the Server Admin application, I jumped right to the Settings part of the Mail section and filled out things appropriately. In the “Domain name” field I entered the fully qualified domain name of the server in its role as a mail server; this is the same address that is in the MX records in DNS. For example, “mail.netmojo.ca”.

The “Host name” field contains the fully qualified domain name of the server itself. “leopardserver.netmojo.ca”, for example.

(more…)